From 14eaca337af0fe3c66624a1a808157b6de8bff68 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Fri, 18 Jan 2019 15:01:53 -0500
Subject: Vendor in latest opencontainers/selinux

This will now verify labels passed in by the user.
Will also prevent users from accidently relabeling their homedir.

podman run -ti -v ~/home/user:Z fedora sh

Is not a good idea.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 cmd/podman/create.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'cmd')

diff --git a/cmd/podman/create.go b/cmd/podman/create.go
index d98b78bd4..93f38d2db 100644
--- a/cmd/podman/create.go
+++ b/cmd/podman/create.go
@@ -172,7 +172,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		if err != nil {
 			return errors.Wrapf(err, "container %q not found", config.PidMode.Container())
 		}
-		labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
 	}
 
 	if config.IpcMode.IsHost() {
@@ -182,7 +186,11 @@ func parseSecurityOpt(config *cc.CreateConfig, securityOpts []string) error {
 		if err != nil {
 			return errors.Wrapf(err, "container %q not found", config.IpcMode.Container())
 		}
-		labelOpts = append(labelOpts, label.DupSecOpt(ctr.ProcessLabel())...)
+		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		if err != nil {
+			return errors.Wrapf(err, "failed to duplicate label %q ", ctr.ProcessLabel())
+		}
+		labelOpts = append(labelOpts, secopts...)
 	}
 
 	for _, opt := range securityOpts {
-- 
cgit v1.2.3-54-g00ecf